<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2659386&amp;fmt=gif">
Talk to an Expert
Cysiv Blog

MITRE ATT&CK + Cysiv: A Match Made for Gap Detection

Back to Blog

Cysiv has recently launched an exciting and powerful new feature in Cysiv Command, our next-gen SIEM platform, which supports the MITRE ATT&CK framework and is helping users determine where their detection gaps are, and how to address them.  

But first, a quick refresher…

The MITRE ATT&CK framework is a leading tool for security practitioners. It provides a knowledge base of adversary tactics, techniques, and procedures (TTPs) based on observations from millions of attacks on organizations. It is the foundation for widely used threat models and methodologies.

In essence, the framework enables security teams to understand attackers' threats better and take steps to mitigate those threats.

A new MITRE ATT&CK preparedness feature of Cysiv Command leverages the framework to provide users (clients and Cysiv SOC analysts alike) with a powerful dashboard to ensure you are protected against potential attack TTPs. 

The new Cysiv dashboard provides a real-time view of your detection coverage against the potential TTPs that can threaten your organization's systems and data. It displays technique coverage by data source and identifies detection gaps. 

Users can also take advantage of the dashboard to understand how inputting additional data sources will improve MITRE ATT&CK technique coverage. It indicates if a data source needed to cover a MITRE ATT&CK technique goes offline. If you click on a dashboard technique, this brings you to the Cysiv Command Rules tab, which displays the rules and data sources that consist of specific detection coverage for that technique.  

The dashboard is color-coded to provide easy-to-read status. For example, green indicates the data source telemetry for probable detection of the MITRE technique is online. Dark grey demonstrates the data source telemetry for probable detection has not been onboarded to your instance of Cysiv Command. And red shows that data sources are onboarded, but Cysiv Command is not receiving the telemetry from one or more of them.

Here’s Mark Chatoor, our Director of Product Management, explaining MITRE ATT&CK Framework, and demonstrating this exciting and valuable new feature (9 minutes).

MITRE ATT&CK Demo Video

Dashboard Use Cases

Here are three common use cases for our MITRE ATT&CK dashboard:

  1. Prioritizing Data Sources to be Onboarded: You can plan your data source input strategy using the MITRE ATT&CK framework. You select the data sources during the onboarding planning phase to simulate potential detection coverage. You can prioritize data ingestion based on the volume of techniques covered, the techniques known to be executed by adversaries in your environment, or gaps in your security controls. This use case answers the question: "What data sources should I ingest for a technique coverage?"
  2. Analyzing Gaps in Detection Coverage:  You can identify the highest priority gaps in your current detection coverage. You can do this by determining what parts of your enterprise lack visibility, visualizing potential blind spots for vectors that allow adversaries to gain access to your networks undetected and unmitigated, identifying gaps to prioritize investments for improving your security programs, or visualizing lapses in technique coverage based on data sources being offline. This use case answers the question: "Where are my potential blind spots for an adversary to gain access?" 
  3. Tuning Detection Coverage: You can simulate changes to detection coverage based on onboarding additional data sources. You can select data sources following the initial onboarding phase and handover to the security operations center to improve coverage for detecting adversary behaviors, prioritize future data ingestion as a data onboarding process, or quantify improvements to your detection coverage if deciding to make additional investments in sensors, endpoint detection and response, or other security tools. This use case answers the question: "What happens to my coverage if I onboard an additional data source?"

Cysiv Command is the focal point for a broad range of security-related activities, including accessing enriched logs, generating reports, and managing indicators, detections, security incidents and cases. Now, it includes access to the latest data sources for the MITRE ATT&CK framework in an intuitive and powerful dashboard.  

Please request a demo if you’d like to learn more about Cysiv Command or the new MITRE ATT&CK dashboard and how it can help you further improve your security.